CVE-2025-21604 - Vulnerability Details - OpenCVE

LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00091.

Exploitation none

Automatable yes

Technical Impact partial

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/moyangzhan/langchain4j-aideepin/commit/3cf625c5044a151a8cbcbdf98e10b4b46b8a975a
https://github.com/moyangzhan/langchain4j-aideepin/security/advisories/GHSA-cv5r-73vf-8x7v

History

Mon, 06 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Jan 2025 15:45:00 +0000

Type	Values Removed	Values Added
Description		LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0.
Title		LangChain4j-AIDeepin Using MD5 to Hash files may cause file upload conflicts
Weaknesses		CWE-328
References		https://github.com/moyangzhan/langchain4j-aideepin/commit/3cf625c5044a151a8cbcbdf98e10b4b46b8a975a https://github.com/moyangzhan/langchain4j-aideepin/security/advisories/GHSA-cv5r-73vf-8x7v
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-01-06T15:34:54.794Z

Updated: 2025-01-06T16:51:12.757Z

Reserved: 2024-12-29T03:00:24.712Z

Link: CVE-2025-21604

Vulnrichment

Updated: 2025-01-06T16:51:08.675Z

NVD

Status : Received

Published: 2025-01-06T16:15:30.927

Modified: 2025-01-06T16:15:30.927

Link: CVE-2025-21604

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21604", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-29T03:00:24.712Z", "datePublished": "2025-01-06T15:34:54.794Z", "dateUpdated": "2025-01-06T16:51:12.757Z"}, "containers": {"cna": {"title": "LangChain4j-AIDeepin Using MD5 to Hash files may cause file upload conflicts", "problemTypes": [{"descriptions": [{"cweId": "CWE-328", "lang": "en", "description": "CWE-328: Use of Weak Hash", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/moyangzhan/langchain4j-aideepin/security/advisories/GHSA-cv5r-73vf-8x7v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/moyangzhan/langchain4j-aideepin/security/advisories/GHSA-cv5r-73vf-8x7v"}, {"name": "https://github.com/moyangzhan/langchain4j-aideepin/commit/3cf625c5044a151a8cbcbdf98e10b4b46b8a975a", "tags": ["x_refsource_MISC"], "url": "https://github.com/moyangzhan/langchain4j-aideepin/commit/3cf625c5044a151a8cbcbdf98e10b4b46b8a975a"}], "affected": [{"vendor": "moyangzhan", "product": "langchain4j-aideepin", "versions": [{"version": "< 3.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-06T15:34:54.794Z"}, "descriptions": [{"lang": "en", "value": "LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0."}], "source": {"advisory": "GHSA-cv5r-73vf-8x7v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-06T16:51:02.691118Z", "id": "CVE-2025-21604", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:51:12.757Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-21604", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-06T16:51:02.691118Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:51:08.675Z"}}], "cna": {"title": "LangChain4j-AIDeepin Using MD5 to Hash files may cause file upload conflicts", "source": {"advisory": "GHSA-cv5r-73vf-8x7v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "moyangzhan", "product": "langchain4j-aideepin", "versions": [{"status": "affected", "version": "< 3.5.0"}]}], "references": [{"url": "https://github.com/moyangzhan/langchain4j-aideepin/security/advisories/GHSA-cv5r-73vf-8x7v", "name": "https://github.com/moyangzhan/langchain4j-aideepin/security/advisories/GHSA-cv5r-73vf-8x7v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/moyangzhan/langchain4j-aideepin/commit/3cf625c5044a151a8cbcbdf98e10b4b46b8a975a", "name": "https://github.com/moyangzhan/langchain4j-aideepin/commit/3cf625c5044a151a8cbcbdf98e10b4b46b8a975a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-328", "description": "CWE-328: Use of Weak Hash"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-06T15:34:54.794Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21604", "state": "PUBLISHED", "dateUpdated": "2025-01-06T16:51:12.757Z", "dateReserved": "2024-12-29T03:00:24.712Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-06T15:34:54.794Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0."}], "id": "CVE-2025-21604", "lastModified": "2025-01-06T16:15:30.927", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "LOW"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-06T16:15:30.927", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/moyangzhan/langchain4j-aideepin/commit/3cf625c5044a151a8cbcbdf98e10b4b46b8a975a"}, {"source": "security-advisories@github.com", "url": "https://github.com/moyangzhan/langchain4j-aideepin/security/advisories/GHSA-cv5r-73vf-8x7v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-328"}], "source": "security-advisories@github.com", "type": "Primary"}]}